CVSS (Common Vulnerability Scoring System) is a standardized framework that assigns numerical scores from 0-10 to security vulnerabilities, helping cybersecurity professionals prioritize which threats to tackle first. Higher scores indicate more severe vulnerabilities that pose greater risks to your systems.
Understanding CVSS: The Basics
Think of CVSS as a report card for vulnerabilities. Just like grades help teachers identify which students need the most attention, CVSS scores help security teams figure out which vulnerabilities deserve immediate action.
The scoring system ranges from 0 to 10, with severity levels that look like this:
0.0: None
0.1-3.9: Low
4.0-6.9: Medium
7.0-8.9: High
9.0-10.0: Critical
But here's the thing—CVSS isn't just pulling numbers out of thin air. These scores are calculated using specific metrics that evaluate how exploitable a vulnerability is and what kind of damage it could cause.
The Three Pillars of CVSS Scoring
Base Metrics: The Foundation
Base metrics focus on the inherent characteristics of a vulnerability. They're like the DNA of the security flaw—these qualities don't change regardless of your specific environment.
Exploitability factors include:
Attack Vector: Can attackers exploit this remotely, or do they need physical access?
Attack Complexity: Is this vulnerability easy to exploit, or does it require advanced skills?
Privileges Required: Does the attacker need admin rights, or can anyone exploit this?
User Interaction: Must a user click something, or can this be exploited automatically?
Impact factors measure:
Confidentiality: How much sensitive data could be exposed?
Integrity: Can attackers modify or delete important information?
Availability: Will this vulnerability disrupt system access or functionality?
Temporal Metrics: The Reality Check
Temporal metrics acknowledge that vulnerabilities evolve over time. A brand-new vulnerability might seem scary on paper, but if there's no known exploit code and a patch is already available, the real-world risk drops significantly.
These metrics consider:
Exploit Code Maturity: Are working exploits publicly available?
Remediation Level: Is there an official patch, workaround, or just temporary fixes?
Report Confidence: How certain are we that this vulnerability actually exists and works as described?
Environmental Metrics: Your Specific Context
This is where CVSS gets personal. Environmental metrics let you adjust scores based on your organization's unique situation—because a "critical" vulnerability on an isolated test server isn't the same as one on your customer database.
Key considerations:
Security Requirements: How important is the affected system to your business?
Modified Base Metrics: Do your existing security controls reduce the vulnerability's impact?
The Evolution of CVSS: why version matters
CVSS has been around since 2003, evolving through several versions. Currently, most organizations use CVSS v3.1 (released in 2019), though CVSS v4.0 launched in 2023 with improved accuracy.
Here's why this matters: the same vulnerability can receive different scores depending on which CVSS version is used. According to SANS, one CVE showed a score of 5.5 (Medium) in CVSS v3 but only 2.1 (Low) in CVSS v2. That's a significant difference that could affect your remediation timeline!
CVSS limitations: what it doesn't tell you
While CVSS provides valuable standardization, it has some blind spots that security teams need to understand:
Context is everything: CVSS doesn't know your business. A "medium" vulnerability in your payment processing system might be more urgent than a "high" vulnerability in a development environment.
It's not a crystal ball: CVSS can't predict which vulnerabilities are actively being exploited in the wild. This is where complementary systems like EPSS (Exploit Prediction Scoring System) come in handy.
One size doesn't fit all: Your organization's risk tolerance, existing security controls, and asset criticality all influence how you should interpret CVSS scores.
CVSS vs. CVE: understanding the relationship
Here's a quick clarification that trips up many people: CVE and CVSS aren't the same thing, but they work together.
CVE (Common Vulnerabilities and Exposures): A unique identifier for specific vulnerabilities (like CVE-2014-0160 for Heartbleed)
CVSS: The scoring system that rates how severe each CVE is
Think of CVE as the name tag and CVSS as the danger rating. You need both to make informed decisions about vulnerability management.
Using CVSS effectively in your security program
Smart security teams don't rely on CVSS scores alone. Here's how to use them as part of a comprehensive approach:
Start with CVSS, but don't stop there: Use Base scores for initial triage, then factor in Temporal and Environmental metrics
Consider your business context: A vulnerability affecting customer data deserves more attention than one on an internal wiki
Look for active exploitation: Check threat intelligence feeds to see if vulnerabilities are being actively exploited
Evaluate your existing controls: Network segmentation, WAFs, and other security measures can significantly reduce actual risk
Frequently asked questions about CVSS
The Base Score only considers the vulnerability's inherent characteristics. The overall CVSS score can include Temporal and Environmental adjustments that reflect real-world conditions and your specific environment.
Not necessarily. While Critical vulnerabilities (9.0-10.0) are severe, you should also consider factors like asset criticality, exposure, and available exploits. A Critical vulnerability on an isolated system might be less urgent than a High vulnerability on a public-facing server.
Base scores typically don't change once assigned, but Temporal scores can shift as exploit code becomes available or patches are released. Environmental scores are unique to your organization and should be reassessed when your infrastructure changes.
You shouldn't change Base scores, but you can and should calculate Environmental scores that reflect your specific context. This might lower the effective score if you have strong compensating controls, or raise it if the affected asset is business-critical.
Most vulnerability scanners automatically pull CVSS Base scores from databases like the
National Vulnerability Database (NVD). However, they typically don't calculate Temporal or Environmental scores—that's up to your security team.
Key takeaways for smart vulnerability management
CVSS provides essential standardization for vulnerability assessment, but it's most effective when combined with business context and threat intelligence. Use Base scores for initial prioritization, but don't forget to factor in your organization's specific risk profile and existing security controls.
Remember: the goal isn't to chase perfect CVSS scores—it's to reduce real-world risk to your organization. Sometimes that means tackling a "Medium" vulnerability that affects critical business systems before addressing a "Critical" vulnerability that's well-contained.
Want to see how Huntress can help you move beyond simple CVSS scoring to comprehensive threat detection and response? Our platform combines vulnerability insights with real-time threat hunting to keep your organization secure.
Protect What Matters
